Analyse images builded from Docker Buildx remote driver #7181
-
QuestionHello all ! I have a kubernetes which run a Docker buildkit rootless daemon (See that docker buildx, but currently i made my own chart here) I want to have that scenario in my Jenkins pipeline :
I already try to add --load args in my command. I runs these commands in pipeline : docker buildx create --name testBuilder --driver=remote tcp://buildkitd.docker-buildkit.svc.cluster.local:1234 --use --bootstrap
docker buildx build -f Dockerfile -o type=docker,dest=- --load -t image:1.0.0
trivy image momo:1.0.0 That should be possible in my opinion, but i think i'm not good with docker context/builder.. :( TargetNone ScannerNone Output FormatNone ModeNone Operating SystemNo response VersionNo response |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 11 replies
-
Did you try |
Beta Was this translation helpful? Give feedback.
-
Hi @Momotoculteur! Now my steps are next:
$ ./create-certs.sh 127.0.0.1
$ kubectl apply -f .certs/buildkit-daemon-certs.yaml
$ kubectl apply -f deployment+service.rootless.yaml
$ kubectl scale --replicas=3 deployment/buildkitd
$ kubectl port-forward service/buildkitd 1234
$ docker buildx create \
--name mybuilder \
--driver remote \
--driver-opt cacert=${PWD}/.certs/client/ca.pem,cert=${PWD}/.certs/client/cert.pem,key=${PWD}/.certs/client/key.pem,servername=127.0.0.1 \
tcp://localhost:1234
mybuilder
$ docker buildx inspect --bootstrap
Name: mybuilder
Driver: remote
Last Activity: 2024-07-25 06:42:37 +0000 UTC
Nodes:
Name: mybuilder0
Endpoint: tcp://localhost:1234
...
$ cat Dockerfile
FROM alpine:3.16.1
$ docker buildx build --builder mybuilder -t myrego/myimage:1 . --load
[+] Building 0.9s (6/6) FINISHED remote:mybuilder
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 55B 0.0s
=> [internal] load metadata for docker.io/library/alpine:3.16.1 0.6s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> CACHED [1/1] FROM docker.io/library/alpine:3.16.1@sha256:7580ece7963bfa863801466c0a488f11c86f85d9988051a9f9c68cb27f6b7872 0.0s
=> => resolve docker.io/library/alpine:3.16.1@sha256:7580ece7963bfa863801466c0a488f11c86f85d9988051a9f9c68cb27f6b7872 0.0s
=> exporting to docker image format 0.2s
=> => exporting layers 0.0s
=> => exporting manifest sha256:414f5de3ccda6ae498a2bad1a08bc4543394462e67e2568e3b9df75ce2c472a9 0.0s
=> => exporting config sha256:df2f35046d25a99c91ff8add145d166f54ef42d07dd896654cf0ccf643954dad 0.0s
=> => sending tarball 0.2s
=> importing to docker
$ docker buildx ls
NAME/NODE DRIVER/ENDPOINT STATUS BUILDKIT PLATFORMS
mybuilder* remote
\_ mybuilder0 \_ tcp://localhost:1234 running 655a124 linux/amd64, linux/amd64/v2, linux/amd64/v3, linux/386
default docker
\_ default \_ default running v0.15.0 linux/amd64, linux/amd64/v2, linux/amd64/v3, linux/386
$ trivy image myrego/myimage:1
2024-07-25T12:47:41+06:00 INFO Need to update DB
2024-07-25T12:47:41+06:00 INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
50.21 MiB / 50.21 MiB [----------------------------------------------------------------------------------------------------------------------] 100.00% 5.68 MiB p/s 9.0s
2024-07-25T12:47:52+06:00 INFO Vulnerability scanning is enabled
2024-07-25T12:47:52+06:00 INFO Secret scanning is enabled
2024-07-25T12:47:52+06:00 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-25T12:47:52+06:00 INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-25T12:47:52+06:00 INFO Detected OS family="alpine" version="3.16.1"
2024-07-25T12:47:52+06:00 INFO [alpine] Detecting vulnerabilities... os_version="3.16" repository="3.16" pkg_num=14
2024-07-25T12:47:52+06:00 INFO Number of language-specific files num=0
2024-07-25T12:47:52+06:00 WARN This OS version is no longer supported by the distribution family="alpine" version="3.16.1"
2024-07-25T12:47:52+06:00 WARN The vulnerability detection may be insufficient because security updates are not provided
myrego/myimage:1 (alpine 3.16.1)
Total: 23 (UNKNOWN: 0, LOW: 0, MEDIUM: 14, HIGH: 8, CRITICAL: 1)
|
Beta Was this translation helpful? Give feedback.
I will check TLS and namespace subjects then. But Buildkit's team is not as fast as you are for communicate :) Seems to be a docker issue and not Trivy.
Thanks a lot for your help, and your time @afdesk